Loading target/board/generic/sepolicy/dhcpclient.te +9 −5 Original line number Original line Diff line number Diff line # DHCP client # DHCP client type dhcpclient, domain, domain_deprecated; type dhcpclient, domain; type dhcpclient_exec, exec_type, file_type; type dhcpclient_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(dhcpclient) init_daemon_domain(dhcpclient) net_domain(dhcpclient) net_domain(dhcpclient) Loading @@ -9,8 +9,12 @@ allow dhcpclient execns:fd use; set_prop(dhcpclient, net_eth0_prop); set_prop(dhcpclient, net_eth0_prop); allow dhcpclient self:capability { net_admin net_raw }; allow dhcpclient self:capability { net_admin net_raw }; allow dhcpclient self:packet_socket { create bind ioctl read write }; allow dhcpclient self:udp_socket create; allow dhcpclient self:udp_socket { ioctl create }; allow dhcpclient self:netlink_route_socket { write nlmsg_write }; allow dhcpclient self:netlink_route_socket { write nlmsg_write }; allow dhcpclient varrun_file:dir search; allow dhcpclient varrun_file:dir search; allow dhcpclient self:packet_socket { create bind write read }; allowxperm dhcpclient self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK SIOCSIFMTU SIOCGIFHWADDR }; target/board/generic/sepolicy/dhcpserver.te +2 −2 Original line number Original line Diff line number Diff line # DHCP server # DHCP server type dhcpserver, domain, domain_deprecated; type dhcpserver, domain; type dhcpserver_exec, exec_type, file_type; type dhcpserver_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(dhcpserver) init_daemon_domain(dhcpserver) net_domain(dhcpserver) net_domain(dhcpserver) Loading target/board/generic/sepolicy/execns.te +3 −7 Original line number Original line Diff line number Diff line # Network namespace transitions # Network namespace transitions type execns, domain, domain_deprecated; type execns, domain; type execns_exec, exec_type, file_type; type execns_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(execns) init_daemon_domain(execns) allow execns varrun_file:dir search; allow execns varrun_file:dir search; allow execns self:capability sys_admin; allow execns self:capability sys_admin; allow execns proc:file { open read }; #Allow execns itself to be run by init in its own domain #Allow execns itself to be run by init in its own domain domain_auto_trans(init, execns_exec, execns); domain_auto_trans(init, execns_exec, execns); Loading @@ -19,8 +20,3 @@ domain_auto_trans(execns, dhcpserver_exec, dhcpserver); # Allow hostapd to be run by execns in its own domain # Allow hostapd to be run by execns in its own domain domain_auto_trans(execns, hostapd_exec, hostapd); domain_auto_trans(execns, hostapd_exec, hostapd); allow hostapd execns:fd use; allow hostapd execns:fd use; # Allow dnsmasq to be run by execns in its own domain domain_auto_trans(execns, dnsmasq_exec, dnsmasq); allow dnsmasq execns:fd use; target/board/generic/sepolicy/file_contexts +5 −4 Original line number Original line Diff line number Diff line Loading @@ -17,11 +17,12 @@ /dev/ttyS2 u:object_r:console_device:s0 /dev/ttyS2 u:object_r:console_device:s0 /vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/init\.wifi\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/qemu-props u:object_r:qemu_props_exec:s0 /vendor/bin/qemu-props u:object_r:qemu_props_exec:s0 /system/bin/execns u:object_r:execns_exec:s0 /vendor/bin/execns u:object_r:execns_exec:s0 /system/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0 /vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0 /system/bin/dhcpclient u:object_r:dhcpclient_exec:s0 /vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0 /system/bin/dhcpserver u:object_r:dhcpserver_exec:s0 /vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0 /vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0 /vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0 Loading target/board/generic/sepolicy/goldfish_setup.te +16 −3 Original line number Original line Diff line number Diff line Loading @@ -16,10 +16,23 @@ allow goldfish_setup vendor_shell_exec:file { rx_file_perms }; set_prop(goldfish_setup, ctl_default_prop); set_prop(goldfish_setup, ctl_default_prop); # Set up WiFi # Set up WiFi allow goldfish_setup self:netlink_route_socket nlmsg_write; allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read }; allow goldfish_setup self:netlink_socket create_socket_perms; allow goldfish_setup self:netlink_socket create_socket_perms_no_ioctl; allow goldfish_setup self:capability { sys_module sys_admin }; allow goldfish_setup self:capability { sys_module sys_admin }; allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name }; allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name }; allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink }; allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink }; allow goldfish_setup execns_exec:file rx_file_perms; allow goldfish_setup execns_exec:file rx_file_perms; allow goldfish_setup proc_net:file w_file_perms; allow goldfish_setup proc_net:file rw_file_perms; allow goldfish_setup proc:file r_file_perms; set_prop(goldfish_setup, ctl_default_prop); allow goldfish_setup system_data_file:dir getattr; allow goldfish_setup kernel:system module_request; # Allow goldfish_setup to run /system/bin/ip and /system/bin/iw allow goldfish_setup system_file:file execute_no_trans; # Allow goldfish_setup to run init.wifi.sh allow goldfish_setup goldfish_setup_exec:file execute_no_trans; # iw allow goldfish_setup sysfs:file { read open }; # iptables allow goldfish_setup system_file:file lock; allow goldfish_setup self:rawip_socket { create getopt setopt }; Loading
target/board/generic/sepolicy/dhcpclient.te +9 −5 Original line number Original line Diff line number Diff line # DHCP client # DHCP client type dhcpclient, domain, domain_deprecated; type dhcpclient, domain; type dhcpclient_exec, exec_type, file_type; type dhcpclient_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(dhcpclient) init_daemon_domain(dhcpclient) net_domain(dhcpclient) net_domain(dhcpclient) Loading @@ -9,8 +9,12 @@ allow dhcpclient execns:fd use; set_prop(dhcpclient, net_eth0_prop); set_prop(dhcpclient, net_eth0_prop); allow dhcpclient self:capability { net_admin net_raw }; allow dhcpclient self:capability { net_admin net_raw }; allow dhcpclient self:packet_socket { create bind ioctl read write }; allow dhcpclient self:udp_socket create; allow dhcpclient self:udp_socket { ioctl create }; allow dhcpclient self:netlink_route_socket { write nlmsg_write }; allow dhcpclient self:netlink_route_socket { write nlmsg_write }; allow dhcpclient varrun_file:dir search; allow dhcpclient varrun_file:dir search; allow dhcpclient self:packet_socket { create bind write read }; allowxperm dhcpclient self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK SIOCSIFMTU SIOCGIFHWADDR };
target/board/generic/sepolicy/dhcpserver.te +2 −2 Original line number Original line Diff line number Diff line # DHCP server # DHCP server type dhcpserver, domain, domain_deprecated; type dhcpserver, domain; type dhcpserver_exec, exec_type, file_type; type dhcpserver_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(dhcpserver) init_daemon_domain(dhcpserver) net_domain(dhcpserver) net_domain(dhcpserver) Loading
target/board/generic/sepolicy/execns.te +3 −7 Original line number Original line Diff line number Diff line # Network namespace transitions # Network namespace transitions type execns, domain, domain_deprecated; type execns, domain; type execns_exec, exec_type, file_type; type execns_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(execns) init_daemon_domain(execns) allow execns varrun_file:dir search; allow execns varrun_file:dir search; allow execns self:capability sys_admin; allow execns self:capability sys_admin; allow execns proc:file { open read }; #Allow execns itself to be run by init in its own domain #Allow execns itself to be run by init in its own domain domain_auto_trans(init, execns_exec, execns); domain_auto_trans(init, execns_exec, execns); Loading @@ -19,8 +20,3 @@ domain_auto_trans(execns, dhcpserver_exec, dhcpserver); # Allow hostapd to be run by execns in its own domain # Allow hostapd to be run by execns in its own domain domain_auto_trans(execns, hostapd_exec, hostapd); domain_auto_trans(execns, hostapd_exec, hostapd); allow hostapd execns:fd use; allow hostapd execns:fd use; # Allow dnsmasq to be run by execns in its own domain domain_auto_trans(execns, dnsmasq_exec, dnsmasq); allow dnsmasq execns:fd use;
target/board/generic/sepolicy/file_contexts +5 −4 Original line number Original line Diff line number Diff line Loading @@ -17,11 +17,12 @@ /dev/ttyS2 u:object_r:console_device:s0 /dev/ttyS2 u:object_r:console_device:s0 /vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/init\.wifi\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/qemu-props u:object_r:qemu_props_exec:s0 /vendor/bin/qemu-props u:object_r:qemu_props_exec:s0 /system/bin/execns u:object_r:execns_exec:s0 /vendor/bin/execns u:object_r:execns_exec:s0 /system/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0 /vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0 /system/bin/dhcpclient u:object_r:dhcpclient_exec:s0 /vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0 /system/bin/dhcpserver u:object_r:dhcpserver_exec:s0 /vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0 /vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0 /vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0 Loading
target/board/generic/sepolicy/goldfish_setup.te +16 −3 Original line number Original line Diff line number Diff line Loading @@ -16,10 +16,23 @@ allow goldfish_setup vendor_shell_exec:file { rx_file_perms }; set_prop(goldfish_setup, ctl_default_prop); set_prop(goldfish_setup, ctl_default_prop); # Set up WiFi # Set up WiFi allow goldfish_setup self:netlink_route_socket nlmsg_write; allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read }; allow goldfish_setup self:netlink_socket create_socket_perms; allow goldfish_setup self:netlink_socket create_socket_perms_no_ioctl; allow goldfish_setup self:capability { sys_module sys_admin }; allow goldfish_setup self:capability { sys_module sys_admin }; allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name }; allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name }; allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink }; allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink }; allow goldfish_setup execns_exec:file rx_file_perms; allow goldfish_setup execns_exec:file rx_file_perms; allow goldfish_setup proc_net:file w_file_perms; allow goldfish_setup proc_net:file rw_file_perms; allow goldfish_setup proc:file r_file_perms; set_prop(goldfish_setup, ctl_default_prop); allow goldfish_setup system_data_file:dir getattr; allow goldfish_setup kernel:system module_request; # Allow goldfish_setup to run /system/bin/ip and /system/bin/iw allow goldfish_setup system_file:file execute_no_trans; # Allow goldfish_setup to run init.wifi.sh allow goldfish_setup goldfish_setup_exec:file execute_no_trans; # iw allow goldfish_setup sysfs:file { read open }; # iptables allow goldfish_setup system_file:file lock; allow goldfish_setup self:rawip_socket { create getopt setopt };
